summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2022-08-08 14:46:30 +0000
committerGitHub <noreply@github.com>2022-08-08 14:46:30 +0000
commit9d67d907ea8ca59b94643fbe78fd122ded6aed06 (patch)
tree82dfa146083835c4c4c1b287bc25ea8da7f352d7
parent70b03400b18c80ee8a2864d0af1012ec8683a26a (diff)
parent2e3a192bb0968e0c07627165de429bd9942af88d (diff)
downloadpodman-9d67d907ea8ca59b94643fbe78fd122ded6aed06.tar.gz
podman-9d67d907ea8ca59b94643fbe78fd122ded6aed06.tar.bz2
podman-9d67d907ea8ca59b94643fbe78fd122ded6aed06.zip
Merge pull request #15236 from giuseppe/refuse-userns-with-uidmap
cmd: refuse --userns if a mapping is specified
-rw-r--r--cmd/podman/containers/create.go16
-rw-r--r--test/e2e/run_userns_test.go24
2 files changed, 31 insertions, 9 deletions
diff --git a/cmd/podman/containers/create.go b/cmd/podman/containers/create.go
index 7d0f4d9ae..455127fd7 100644
--- a/cmd/podman/containers/create.go
+++ b/cmd/podman/containers/create.go
@@ -192,16 +192,14 @@ func replaceContainer(name string) error {
}
func CreateInit(c *cobra.Command, vals entities.ContainerCreateOptions, isInfra bool) (entities.ContainerCreateOptions, error) {
- vals.UserNS = c.Flag("userns").Value.String()
- // if user did not modify --userns flag and did turn on
- // uid/gid mappings, set userns flag to "private"
- if !c.Flag("userns").Changed && vals.UserNS == "host" {
- if len(vals.UIDMap) > 0 ||
- len(vals.GIDMap) > 0 ||
- vals.SubUIDName != "" ||
- vals.SubGIDName != "" {
- vals.UserNS = "private"
+ if len(vals.UIDMap) > 0 || len(vals.GIDMap) > 0 || vals.SubUIDName != "" || vals.SubGIDName != "" {
+ if c.Flag("userns").Changed {
+ return vals, errors.New("--userns and --uidmap/--gidmap/--subuidname/--subgidname are mutually exclusive")
}
+ // force userns flag to "private"
+ vals.UserNS = "private"
+ } else {
+ vals.UserNS = c.Flag("userns").Value.String()
}
if c.Flag("kernel-memory") != nil && c.Flag("kernel-memory").Changed {
logrus.Warnf("The --kernel-memory flag is no longer supported. This flag is a noop.")
diff --git a/test/e2e/run_userns_test.go b/test/e2e/run_userns_test.go
index 613727118..f247b2dac 100644
--- a/test/e2e/run_userns_test.go
+++ b/test/e2e/run_userns_test.go
@@ -307,6 +307,30 @@ var _ = Describe("Podman UserNS support", func() {
}
})
+
+ It("podman --userns= conflicts with ui[dg]map and sub[ug]idname", func() {
+ session := podmanTest.Podman([]string{"run", "--userns=host", "--uidmap=0:1:500", "alpine", "true"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(125))
+ Expect(session.ErrorToString()).To(ContainSubstring("--userns and --uidmap/--gidmap/--subuidname/--subgidname are mutually exclusive"))
+
+ session = podmanTest.Podman([]string{"run", "--userns=host", "--gidmap=0:200:5000", "alpine", "true"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(125))
+ Expect(session.ErrorToString()).To(ContainSubstring("--userns and --uidmap/--gidmap/--subuidname/--subgidname are mutually exclusive"))
+
+ // with sub[ug]idname we don't check for the error output since the error message could be different, depending on the
+ // system configuration since the specified user could not be defined and cause a different earlier error.
+ // In any case, make sure the command doesn't succeed.
+ session = podmanTest.Podman([]string{"run", "--userns=private", "--subuidname=containers", "alpine", "true"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Not(Exit(0)))
+
+ session = podmanTest.Podman([]string{"run", "--userns=private", "--subgidname=containers", "alpine", "true"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Not(Exit(0)))
+ })
+
It("podman PODMAN_USERNS", func() {
SkipIfNotRootless("keep-id only works in rootless mode")